[Snort-users] Part of traffic matching wrong rule

Juergen Anthamatten juergen.anthamatten at ...158...
Tue Jun 24 11:21:20 EDT 2003


I have the strange behaviour in snort that part of the traffic is matching
the wrong rule.

The details:
I'd like to alarm on tcp syn-ack packets sent back by a server violating
our policy. Therefore I "pass" all allowed syn-ack traffic and then I
"alarm" on all other syn-ack packets. 
This works almost fine, except for about 1% of the traffic, matching
theoretically the pass rule, this rule is not hitting and the alarm rule
is triggering instead.

Relevant configuration info:
Snort Version: 2.0.0
Rule application order: alert->pass->alarm

var HOME_NET    64.232.48.224/28
var UNIVERSE    0.0.0.0/0
var host1       64.232.48.230

pass    tcp     $host1      80  ->  $UNIVERSE   1024:   (flags: SA;)
alarm   tcp     $HOME_NET   any ->  $UNIVERSE   any     (flags: SA;
msg:"Forbidden synAck from HOME_NET";)


As the following extract of the alarm-logfile shows, this packet, which
fits theoretically the pass-rule, is not matching the pass-rule but the
final alarm-rule.
"
... 64.232.48.230.80 > 88.34.112.22.8888: S 2146395230:2146395230(0) ack
3671809919 win 32120 <mss 1460,nop,nop,sackOK> (DF)
"

(For about 99% of the syn-ack responses from 64.232.48.230.80 the pass-rule
is
matching and no alarm is triggered.)

Is this a missconfiguration, or ??? 
TIA for any hints.....

./juergen

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!





More information about the Snort-users mailing list